.github/workflows/vulnerability.yaml

name: Vulnerability checks
on:
  push:
    paths-ignore:
      - 'version.txt'
      - '.github/workflows/**'
      - '*.md'
      - 'LICENSE'
      - 'Makefile'
  pull_request:
    paths-ignore:
      - 'version.txt'
      - '.github/workflows/**'
      - '*.md'
      - 'LICENSE'
      - 'Makefile'
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3
      - name: Set up Python "3.8"
        uses: actions/setup-python@v3
        with:
          python-version: "3.8"
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install wheel
          python setup.py sdist bdist_wheel
          cd dist
          whl_files=( *.whl )
          whl_file=${whl_files[0]}
          pip install $whl_file
          pip install flake8
          pip install bandit
      - name: Create projects
        run: |
          # Create new temporary projects
          mkdir tmp_projects
          generate_nlp_project -n tmp_project_nlp -p tmp_projects/tmp_project_nlp
          generate_num_project -n tmp_project_num -p tmp_projects/tmp_project_num
          generate_vision_project -n tmp_project_vision -p tmp_projects/tmp_project_vision
      - name: Run bandit
        run: |
          # Run bandit
          bandit -r tmp_projects --skip B101,B301,B403 -o bandit_outputs.txt -f txt --exit-zero
      - name: Archive bandit outputs
        uses: actions/upload-artifact@v3
        with:
          name: bandit_outputs
          path: bandit_outputs.txt
          retention-days: 2
      - name: Run safety
        run: |
          # NLP
          cd tmp_projects/tmp_project_nlp
          python -m venv venv_nlp
          source venv_nlp/bin/activate
          pip install -r requirements.txt
          pip install safety
          cd ../../
          safety check --output text --continue-on-error > insecure_report_nlp.txt
          deactivate
          # NUM
          cd tmp_projects/tmp_project_num
          python -m venv venv_num
          source venv_num/bin/activate
          pip install -r requirements.txt
          pip install safety
          cd ../../
          safety check --output text --continue-on-error > insecure_report_num.txt
          deactivate
          # VISION
          cd tmp_projects/tmp_project_vision
          python -m venv venv_vision
          source venv_vision/bin/activate
          pip install -r requirements.txt
          pip install safety
          cd ../../
          safety check --output text --continue-on-error > insecure_report_vision.txt
          deactivate
      - name: Archive safety outputs
        uses: actions/upload-artifact@v3
        with:
          name: safety_outputs
          path: |
            insecure_report_nlp.txt
            insecure_report_num.txt
            insecure_report_vision.txt
          retention-days: 2